github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/engine/daemon/graphdriver/overlay/overlay.go (about) 1 //go:build linux 2 // +build linux 3 4 package overlay // import "github.com/docker/docker/daemon/graphdriver/overlay" 5 6 import ( 7 "fmt" 8 "io" 9 "os" 10 "path" 11 "path/filepath" 12 "strconv" 13 "strings" 14 15 "github.com/docker/docker/daemon/graphdriver" 16 "github.com/docker/docker/daemon/graphdriver/copy" 17 "github.com/docker/docker/daemon/graphdriver/overlayutils" 18 "github.com/docker/docker/pkg/archive" 19 "github.com/docker/docker/pkg/containerfs" 20 "github.com/docker/docker/pkg/fsutils" 21 "github.com/docker/docker/pkg/idtools" 22 "github.com/docker/docker/pkg/parsers" 23 "github.com/docker/docker/pkg/system" 24 "github.com/moby/locker" 25 "github.com/moby/sys/mount" 26 "github.com/opencontainers/selinux/go-selinux/label" 27 "github.com/sirupsen/logrus" 28 "golang.org/x/sys/unix" 29 ) 30 31 // This is a small wrapper over the NaiveDiffWriter that lets us have a custom 32 // implementation of ApplyDiff() 33 34 var ( 35 // ErrApplyDiffFallback is returned to indicate that a normal ApplyDiff is applied as a fallback from Naive diff writer. 36 ErrApplyDiffFallback = fmt.Errorf("Fall back to normal ApplyDiff") 37 backingFs = "<unknown>" 38 ) 39 40 // ApplyDiffProtoDriver wraps the ProtoDriver by extending the interface with ApplyDiff method. 41 type ApplyDiffProtoDriver interface { 42 graphdriver.ProtoDriver 43 // ApplyDiff writes the diff to the archive for the given id and parent id. 44 // It returns the size in bytes written if successful, an error ErrApplyDiffFallback is returned otherwise. 45 ApplyDiff(id, parent string, diff io.Reader) (size int64, err error) 46 } 47 48 type naiveDiffDriverWithApply struct { 49 graphdriver.Driver 50 applyDiff ApplyDiffProtoDriver 51 } 52 53 // NaiveDiffDriverWithApply returns a NaiveDiff driver with custom ApplyDiff. 54 func NaiveDiffDriverWithApply(driver ApplyDiffProtoDriver, uidMaps, gidMaps []idtools.IDMap) graphdriver.Driver { 55 return &naiveDiffDriverWithApply{ 56 Driver: graphdriver.NewNaiveDiffDriver(driver, uidMaps, gidMaps), 57 applyDiff: driver, 58 } 59 } 60 61 // ApplyDiff creates a diff layer with either the NaiveDiffDriver or with a fallback. 62 func (d *naiveDiffDriverWithApply) ApplyDiff(id, parent string, diff io.Reader) (int64, error) { 63 b, err := d.applyDiff.ApplyDiff(id, parent, diff) 64 if err == ErrApplyDiffFallback { 65 return d.Driver.ApplyDiff(id, parent, diff) 66 } 67 return b, err 68 } 69 70 // This backend uses the overlay union filesystem for containers 71 // plus hard link file sharing for images. 72 73 // Each container/image can have a "root" subdirectory which is a plain 74 // filesystem hierarchy, or they can use overlay. 75 76 // If they use overlay there is a "upper" directory and a "lower-id" 77 // file, as well as "merged" and "work" directories. The "upper" 78 // directory has the upper layer of the overlay, and "lower-id" contains 79 // the id of the parent whose "root" directory shall be used as the lower 80 // layer in the overlay. The overlay itself is mounted in the "merged" 81 // directory, and the "work" dir is needed for overlay to work. 82 83 // When an overlay layer is created there are two cases, either the 84 // parent has a "root" dir, then we start out with an empty "upper" 85 // directory overlaid on the parents root. This is typically the 86 // case with the init layer of a container which is based on an image. 87 // If there is no "root" in the parent, we inherit the lower-id from 88 // the parent and start by making a copy in the parent's "upper" dir. 89 // This is typically the case for a container layer which copies 90 // its parent -init upper layer. 91 92 // Additionally we also have a custom implementation of ApplyLayer 93 // which makes a recursive copy of the parent "root" layer using 94 // hardlinks to share file data, and then applies the layer on top 95 // of that. This means all child images share file (but not directory) 96 // data with the parent. 97 98 type overlayOptions struct{} 99 100 // Driver contains information about the home directory and the list of active mounts that are created using this driver. 101 type Driver struct { 102 home string 103 uidMaps []idtools.IDMap 104 gidMaps []idtools.IDMap 105 ctr *graphdriver.RefCounter 106 supportsDType bool 107 locker *locker.Locker 108 } 109 110 func init() { 111 graphdriver.Register("overlay", Init) 112 } 113 114 // Init returns the NaiveDiffDriver, a native diff driver for overlay filesystem. 115 // If overlay filesystem is not supported on the host, the error 116 // graphdriver.ErrNotSupported is returned. 117 // If an overlay filesystem is not supported over an existing filesystem then 118 // error graphdriver.ErrIncompatibleFS is returned. 119 func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) { 120 _, err := parseOptions(options) 121 if err != nil { 122 return nil, err 123 } 124 125 // Perform feature detection on /var/lib/docker/overlay if it's an existing directory. 126 // This covers situations where /var/lib/docker/overlay is a mount, and on a different 127 // filesystem than /var/lib/docker. 128 // If the path does not exist, fall back to using /var/lib/docker for feature detection. 129 testdir := home 130 if _, err := os.Stat(testdir); os.IsNotExist(err) { 131 testdir = filepath.Dir(testdir) 132 } 133 134 if err := overlayutils.SupportsOverlay(testdir, false); err != nil { 135 logrus.WithField("storage-driver", "overlay").Error(err) 136 return nil, graphdriver.ErrNotSupported 137 } 138 139 fsMagic, err := graphdriver.GetFSMagic(testdir) 140 if err != nil { 141 return nil, err 142 } 143 if fsName, ok := graphdriver.FsNames[fsMagic]; ok { 144 backingFs = fsName 145 } 146 147 supportsDType, err := fsutils.SupportsDType(testdir) 148 if err != nil { 149 return nil, err 150 } 151 if !supportsDType { 152 if !graphdriver.IsInitialized(home) { 153 return nil, overlayutils.ErrDTypeNotSupported("overlay", backingFs) 154 } 155 // allow running without d_type only for existing setups (#27443) 156 logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs)) 157 } 158 159 currentID := idtools.CurrentIdentity() 160 _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) 161 if err != nil { 162 return nil, err 163 } 164 dirID := idtools.Identity{ 165 UID: currentID.UID, 166 GID: rootGID, 167 } 168 169 // Create the driver home dir 170 if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { 171 return nil, err 172 } 173 d := &Driver{ 174 home: home, 175 uidMaps: uidMaps, 176 gidMaps: gidMaps, 177 ctr: graphdriver.NewRefCounter(graphdriver.NewFsChecker(graphdriver.FsMagicOverlay)), 178 supportsDType: supportsDType, 179 locker: locker.New(), 180 } 181 182 return NaiveDiffDriverWithApply(d, uidMaps, gidMaps), nil 183 } 184 185 func parseOptions(options []string) (*overlayOptions, error) { 186 o := &overlayOptions{} 187 for _, option := range options { 188 key, _, err := parsers.ParseKeyValueOpt(option) 189 if err != nil { 190 return nil, err 191 } 192 key = strings.ToLower(key) 193 switch key { 194 default: 195 return nil, fmt.Errorf("overlay: unknown option %s", key) 196 } 197 } 198 return o, nil 199 } 200 201 func (d *Driver) String() string { 202 return "overlay" 203 } 204 205 // Status returns current driver information in a two dimensional string array. 206 // Output contains "Backing Filesystem" used in this implementation. 207 func (d *Driver) Status() [][2]string { 208 return [][2]string{ 209 {"Backing Filesystem", backingFs}, 210 {"Supports d_type", strconv.FormatBool(d.supportsDType)}, 211 } 212 } 213 214 // GetMetadata returns metadata about the overlay driver such as root, 215 // LowerDir, UpperDir, WorkDir and MergeDir used to store data. 216 func (d *Driver) GetMetadata(id string) (map[string]string, error) { 217 dir := d.dir(id) 218 if _, err := os.Stat(dir); err != nil { 219 return nil, err 220 } 221 222 metadata := make(map[string]string) 223 224 // If id has a root, it is an image 225 rootDir := path.Join(dir, "root") 226 if _, err := os.Stat(rootDir); err == nil { 227 metadata["RootDir"] = rootDir 228 return metadata, nil 229 } 230 231 lowerID, err := os.ReadFile(path.Join(dir, "lower-id")) 232 if err != nil { 233 return nil, err 234 } 235 236 metadata["LowerDir"] = path.Join(d.dir(string(lowerID)), "root") 237 metadata["UpperDir"] = path.Join(dir, "upper") 238 metadata["WorkDir"] = path.Join(dir, "work") 239 metadata["MergedDir"] = path.Join(dir, "merged") 240 241 return metadata, nil 242 } 243 244 // Cleanup any state created by overlay which should be cleaned when daemon 245 // is being shutdown. For now, we just have to unmount the bind mounted 246 // we had created. 247 func (d *Driver) Cleanup() error { 248 return mount.RecursiveUnmount(d.home) 249 } 250 251 // CreateReadWrite creates a layer that is writable for use as a container 252 // file system. 253 func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error { 254 return d.Create(id, parent, opts) 255 } 256 257 // Create is used to create the upper, lower, and merge directories required for overlay fs for a given id. 258 // The parent filesystem is used to configure these directories for the overlay. 259 func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr error) { 260 261 if opts != nil && len(opts.StorageOpt) != 0 { 262 return fmt.Errorf("--storage-opt is not supported for overlay") 263 } 264 265 dir := d.dir(id) 266 267 rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps) 268 if err != nil { 269 return err 270 } 271 root := idtools.Identity{UID: rootUID, GID: rootGID} 272 273 currentID := idtools.CurrentIdentity() 274 dirID := idtools.Identity{ 275 UID: currentID.UID, 276 GID: rootGID, 277 } 278 if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { 279 return err 280 } 281 282 defer func() { 283 // Clean up on failure 284 if retErr != nil { 285 os.RemoveAll(dir) 286 } 287 }() 288 289 // Toplevel images are just a "root" dir 290 if parent == "" { 291 // This must be 0755 otherwise unprivileged users will in the container will not be able to read / in the container 292 return idtools.MkdirAndChown(path.Join(dir, "root"), 0755, root) 293 } 294 295 parentDir := d.dir(parent) 296 297 // Ensure parent exists 298 if _, err := os.Lstat(parentDir); err != nil { 299 return err 300 } 301 302 // If parent has a root, just do an overlay to it 303 parentRoot := path.Join(parentDir, "root") 304 305 if s, err := os.Lstat(parentRoot); err == nil { 306 if err := idtools.MkdirAndChown(path.Join(dir, "upper"), s.Mode(), root); err != nil { 307 return err 308 } 309 if err := idtools.MkdirAndChown(path.Join(dir, "work"), 0700, root); err != nil { 310 return err 311 } 312 return os.WriteFile(path.Join(dir, "lower-id"), []byte(parent), 0600) 313 } 314 315 // Otherwise, copy the upper and the lower-id from the parent 316 317 lowerID, err := os.ReadFile(path.Join(parentDir, "lower-id")) 318 if err != nil { 319 return err 320 } 321 322 if err := os.WriteFile(path.Join(dir, "lower-id"), lowerID, 0600); err != nil { 323 return err 324 } 325 326 parentUpperDir := path.Join(parentDir, "upper") 327 s, err := os.Lstat(parentUpperDir) 328 if err != nil { 329 return err 330 } 331 332 upperDir := path.Join(dir, "upper") 333 if err := idtools.MkdirAndChown(upperDir, s.Mode(), root); err != nil { 334 return err 335 } 336 if err := idtools.MkdirAndChown(path.Join(dir, "work"), 0700, root); err != nil { 337 return err 338 } 339 340 return copy.DirCopy(parentUpperDir, upperDir, copy.Content, true) 341 } 342 343 func (d *Driver) dir(id string) string { 344 return path.Join(d.home, id) 345 } 346 347 // Remove cleans the directories that are created for this id. 348 func (d *Driver) Remove(id string) error { 349 if id == "" { 350 return fmt.Errorf("refusing to remove the directories: id is empty") 351 } 352 d.locker.Lock(id) 353 defer d.locker.Unlock(id) 354 return system.EnsureRemoveAll(d.dir(id)) 355 } 356 357 // Get creates and mounts the required file system for the given id and returns the mount path. 358 func (d *Driver) Get(id, mountLabel string) (_ containerfs.ContainerFS, err error) { 359 d.locker.Lock(id) 360 defer d.locker.Unlock(id) 361 dir := d.dir(id) 362 if _, err := os.Stat(dir); err != nil { 363 return nil, err 364 } 365 // If id has a root, just return it 366 rootDir := path.Join(dir, "root") 367 if _, err := os.Stat(rootDir); err == nil { 368 return containerfs.NewLocalContainerFS(rootDir), nil 369 } 370 371 mergedDir := path.Join(dir, "merged") 372 if count := d.ctr.Increment(mergedDir); count > 1 { 373 return containerfs.NewLocalContainerFS(mergedDir), nil 374 } 375 defer func() { 376 if err != nil { 377 if c := d.ctr.Decrement(mergedDir); c <= 0 { 378 if mntErr := unix.Unmount(mergedDir, 0); mntErr != nil { 379 logrus.WithField("storage-driver", "overlay").Debugf("Failed to unmount %s: %v: %v", id, mntErr, err) 380 } 381 // Cleanup the created merged directory; see the comment in Put's rmdir 382 if rmErr := unix.Rmdir(mergedDir); rmErr != nil && !os.IsNotExist(rmErr) { 383 logrus.WithField("storage-driver", "overlay").Warnf("Failed to remove %s: %v: %v", id, rmErr, err) 384 } 385 } 386 } 387 }() 388 lowerID, err := os.ReadFile(path.Join(dir, "lower-id")) 389 if err != nil { 390 return nil, err 391 } 392 rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps) 393 if err != nil { 394 return nil, err 395 } 396 if err := idtools.MkdirAndChown(mergedDir, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { 397 return nil, err 398 } 399 var ( 400 lowerDir = path.Join(d.dir(string(lowerID)), "root") 401 upperDir = path.Join(dir, "upper") 402 workDir = path.Join(dir, "work") 403 opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerDir, upperDir, workDir) 404 ) 405 if err := unix.Mount("overlay", mergedDir, "overlay", 0, label.FormatMountLabel(opts, mountLabel)); err != nil { 406 return nil, fmt.Errorf("error creating overlay mount to %s: %v", mergedDir, err) 407 } 408 // chown "workdir/work" to the remapped root UID/GID. Overlay fs inside a 409 // user namespace requires this to move a directory from lower to upper. 410 if err := os.Chown(path.Join(workDir, "work"), rootUID, rootGID); err != nil { 411 return nil, err 412 } 413 return containerfs.NewLocalContainerFS(mergedDir), nil 414 } 415 416 // Put unmounts the mount path created for the give id. 417 // It also removes the 'merged' directory to force the kernel to unmount the 418 // overlay mount in other namespaces. 419 func (d *Driver) Put(id string) error { 420 d.locker.Lock(id) 421 defer d.locker.Unlock(id) 422 // If id has a root, just return 423 if _, err := os.Stat(path.Join(d.dir(id), "root")); err == nil { 424 return nil 425 } 426 mountpoint := path.Join(d.dir(id), "merged") 427 logger := logrus.WithField("storage-driver", "overlay") 428 if count := d.ctr.Decrement(mountpoint); count > 0 { 429 return nil 430 } 431 if err := unix.Unmount(mountpoint, unix.MNT_DETACH); err != nil { 432 logger.Debugf("Failed to unmount %s overlay: %v", id, err) 433 } 434 435 // Remove the mountpoint here. Removing the mountpoint (in newer kernels) 436 // will cause all other instances of this mount in other mount namespaces 437 // to be unmounted. This is necessary to avoid cases where an overlay mount 438 // that is present in another namespace will cause subsequent mounts 439 // operations to fail with ebusy. We ignore any errors here because this may 440 // fail on older kernels which don't have 441 // torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied. 442 if err := unix.Rmdir(mountpoint); err != nil { 443 logger.Debugf("Failed to remove %s overlay: %v", id, err) 444 } 445 return nil 446 } 447 448 // ApplyDiff applies the new layer on top of the root, if parent does not exist with will return an ErrApplyDiffFallback error. 449 func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64, err error) { 450 dir := d.dir(id) 451 452 if parent == "" { 453 return 0, ErrApplyDiffFallback 454 } 455 456 parentRootDir := path.Join(d.dir(parent), "root") 457 if _, err := os.Stat(parentRootDir); err != nil { 458 return 0, ErrApplyDiffFallback 459 } 460 461 // We now know there is a parent, and it has a "root" directory containing 462 // the full root filesystem. We can just hardlink it and apply the 463 // layer. This relies on two things: 464 // 1) ApplyDiff is only run once on a clean (no writes to upper layer) container 465 // 2) ApplyDiff doesn't do any in-place writes to files (would break hardlinks) 466 // These are all currently true and are not expected to break 467 468 tmpRootDir, err := os.MkdirTemp(dir, "tmproot") 469 if err != nil { 470 return 0, err 471 } 472 defer func() { 473 if err != nil { 474 os.RemoveAll(tmpRootDir) 475 } else { 476 os.RemoveAll(path.Join(dir, "upper")) 477 os.RemoveAll(path.Join(dir, "work")) 478 os.RemoveAll(path.Join(dir, "merged")) 479 os.RemoveAll(path.Join(dir, "lower-id")) 480 } 481 }() 482 483 if err = copy.DirCopy(parentRootDir, tmpRootDir, copy.Hardlink, true); err != nil { 484 return 0, err 485 } 486 487 options := &archive.TarOptions{UIDMaps: d.uidMaps, GIDMaps: d.gidMaps} 488 if size, err = graphdriver.ApplyUncompressedLayer(tmpRootDir, diff, options); err != nil { 489 return 0, err 490 } 491 492 rootDir := path.Join(dir, "root") 493 if err := os.Rename(tmpRootDir, rootDir); err != nil { 494 return 0, err 495 } 496 497 return 498 } 499 500 // Exists checks to see if the id is already mounted. 501 func (d *Driver) Exists(id string) bool { 502 _, err := os.Stat(d.dir(id)) 503 return err == nil 504 }